TCP.Data.On.SYN

description-logoDescription

This indicates detection of a TCP SYN packet that contains data.
According to the TCP standard, there is only one case wherein a correct implementation of TCP/IP stack can accept a data packet with no ACK flag set --- the initial connection-soliciting SYN packet can contain data, but must not have the ACK flag set. In any other case, a data packet not bearing the ACK flag should be discarded.
Some vulnerable systems may accept data segments that do not have the ACK flag set, and as a result, allow attackers to bypass the TCP handshake procedures by prematurely closing it with a FIN packet. In the process of doing this, data will be delivered to the listening system without proper sequence number verification. An attacker can use this method to spoof a TCP transaction.

affected-products-logoAffected Products

Systems, especially many Linux systems, connected to the Internet are vulnerable to the attack.

Impact logoImpact

This is a protocol which run anomaly. Attackers can successfully bypass firewalls and attack a vulnerable system.

recomended-action-logoRecommended Actions

If a SYN packet contains abnormal data, you can select "Block" as the default action for this signature.

Coverage

IPS (Regular DB)
IPS (Extended DB)

References

1